Nokia 6120c and Mail For Exchange

Forums › Legacy mobile platforms (Windows Mobile, Palm OS, Web OS, Symbian, Meego, Blackberry) › Nokia 6120c and Mail For Exchange

1 | 2 | 3

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328163 9-May-2010 14:09

Ah, thanks for that Mauricio :)

Here are the main settings. Note that "enable unsupported devices" is checked.

Clicking on "device security" above gives the following device settings...

I think it would have to be an IIS setting given that the phone can't even navigate to the [server]/certsrv page. Maybe an SSL setting? Anyone know where I find these?

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328167 9-May-2010 14:21

Kyanar:
@mm1352000: if your Exchange server uses a publicly accessible DNS name, have you tried getting a $15 certificate from Godaddy or whatever and using that?

The DNS is a little confusing for me. There is a public website using http://www.[dns name] hosted by openhost, and then there is public access to the server via https://smtp.[dns name]. I'm not quite sure how it is set up as I can't see the SMTP prefix in the openhost DNS settings. Theoretically it would be possible to get another cert as there is nobody else configured for mobile exchange access yet. At this point I'm thinking the problem is not certificates but SSL settings. Unfortunately there don't appear to be any non-HTTPS services hosted on the Exchange server (smtp prefixed)...

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328190 9-May-2010 15:33

@BrentR:
You asked about the Mail For Exchange logs. When I attempted to sync with a secure connection and get the message "system error: try again later" there is nothing in the log. Attempting to sync with an unsecure connection gives a 504 gateway timeout error (as expected, because the server only supports secure sync, and I don't know how to change this).

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328223 9-May-2010 16:40

Further info:
I tried moving my 2degrees SIM from my N97 to the 6120 (added the 2degrees 'internet' AP to the 6120). Was able to get to google but still got the same server access errors. Dad uses the 6120 to connect to the internet on a netbook via bluetooth modem. The server can be accessed on the netbook using IE8 and the Tcom SIM. The usual "there is a problem with this website's security certificate" message is shown, but clicking "continue to this website (not recommended)" works as usual...

freitasm

BDFL - Memuneh
80953 posts

Uber Geek
+1 received by user: 41729

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#328225 9-May-2010 16:46

Until you install the private CA Root certificate your device won't connect to the server for ActiveSync.

Nothing to do with the operator. You need to get into your Windows Server and export the root certificate.

Follow the steps here http://support.microsoft.com/kb/555252 then copy the .cer to your device and install it.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328228 9-May-2010 16:55

freitasm: Until you install the private CA Root certificate your device won't connect to the server for ActiveSync.

Nothing to do with the operator. You need to get into your Windows Server and export the root certificate.

Follow the steps here http://support.microsoft.com/kb/555252 then copy the .cer to your device and install it.

Thanks for weighing in Mauricio. I'm afraid that my experience suggests that I don't need the cert. To be specific: I don't have to install the cert on the N97 for it to work fine. This is not 2 level authentication with users having to have a private certificate (to identify them) to connect. Rather, it is simply https access with login using domain user accounts. Even if I am wrong, I have tried following the steps (or equivalent) given in the link however the cert can't be put in the phone's store. As I have tried to explain, the phone just won't recognise the cert!

New World

Shop on-line at New World now for your groceries (affiliate link).

freitasm

BDFL - Memuneh
80953 posts

Uber Geek
+1 received by user: 41729

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#328234 9-May-2010 17:11

Yep, this is the problem. ActiveSync uses SSL to communicate with the server. You are using a self-signed certificate on your server. This is not to identify users. This is just the keys used to create the encrypted channel.

However, the phone won't create the encrypted channel because it doesn't recognise the CA - the CA Root Certificate is not in the local store. The way around this is to install the CA Root Certificate in your phone.

That's what happens with Windows Mobile for example. And here comes the thing. Some smartphones allow loading new certs to the local store, some don't.

For example Windows Mobile Standard (Windows Mobile touchscreen) has a different security level than Windows Mobile Professional (Windows Mobile non-touchscreen). It means on Windows Mobile Standard you just need to load the cert from a file manager. It doesn't work on Windows Mobile Professional, where you have to first "unlock it" to allow self-signed CA Root Certs to be installed.

This is the same as in your Symbian device though. You have to load that certificate, and it's not easy on Symbian.

By the way, I used to run my own Exchange Server before, and used ActiveSync for years, based on this.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80953 posts

Uber Geek
+1 received by user: 41729

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#328236 9-May-2010 17:26

Alternative method (not sure it works, I haven't tested it myself): http://thinkabdul.com/2006/07/24/installing-ssl-certificate-on-nokia-s60-3rd-edition-for-exchange-ac.../

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Zeon

3927 posts

Uber Geek
+1 received by user: 759

Trusted

#328262 9-May-2010 19:05

Can you not just use a standard HTTP connection? Is there a special requirement that the contacts/calendar are that highly confidential? I remember having the same problem myself and just used HTTP on the phones.

Even when we got a signed certificate, the Nokia phones still failed to recognize it :S

Speedtest 2019-10-14

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328289 9-May-2010 21:10

@freitasm:
Thanks for the tip. I've essentially done that already but I'll give it another shot. I actually found some instructions that claim to allow me to embed the certificate in a cab file, so I'm going to try that too...

@Zeon:
At this point it is only going to be my dad using the thing, so maybe not essential. My problem is that I don't know enough to set up a dummy http service within IIS that I could use to check http accessibility on the phone. I really don't want to go to the effort of changing the Exchange services to http (especially given I don't really know what I'm doing, which is risky enough) with the chance that it might not work! The server also hosts a Trend Micro installation service which appears to be http only from within the domain. When RDP'd into the server (or on a computer within the domain), I can enter http://localhost/officescan (or http://[server name/IP]/officescan) in the browser and the service will load up. However from the internet I can only see it via https://smtp.[dns name]/officescan for some reason...

Kiwipixter

246 posts

Master Geek
+1 received by user: 1

#328290 9-May-2010 21:11

Zeon: Can you not just use a standard HTTP connection? Is there a special requirement that the contacts/calendar are that highly confidential? I remember having the same problem myself and just used HTTP on the phones.

Even when we got a signed certificate, the Nokia phones still failed to recognize it :S

Yes, you can disable SSL in the AS web service using IIS Admin tool. Instructions here,

http://social.technet.microsoft.com/Forums/en/exchangesvrmobility/thread/83152932-38d6-4326-8ed5-a9d1fbea5463

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

Kiwipixter

246 posts

Master Geek
+1 received by user: 1

#328293 9-May-2010 21:25

mm1352000:
...
@Zeon:
At this point it is only going to be my dad using the thing, so maybe not essential. My problem is that I don't know enough to set up a dummy http service within IIS that I could use to check the accessibility (don't want to go to the effort of changing the Exchange services to http especially given I don't really know what I'm doing with a risk that it wouldn't work!). The server also hosts a Trend Micro installation service which appears to be http only from within the domain. When RDP'd into the server (or on a computer within the domain), I can enter http://localhost/officescan (or http://[server name/IP]/officescan in the browser and the service will load up. However from the internet I can only see it via https://smtp.[dns name]/officescan for some reason...

Why do you need to setup a dummy web service? You can access the AS web service by pointing your desktop browser to https://<servername>/Microsoft-Server-Activesync. Thats one way to check the AS service is responding to external requests.

Using OMA is another way to check connectivity. Load the URL https://<servername>/oma on your device browser. Even if you are using a private cert it should prompt you to accept the connection.

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328330 10-May-2010 00:35

Kiwipixter: Why do you need to setup a dummy web service? You can access the AS web service by pointing your desktop browser to https:///Microsoft-Server-Activesync. Thats one way to check the AS service is responding to external requests.

Using OMA is another way to check connectivity. Load the URL https:///oma on your device browser. Even if you are using a private cert it should prompt you to accept the connection.

If you read earlier posts you will see that the server works with my N97. The 6120 fails to navigate to anything hosted by the server including /exchange, /officescan, /certsrv, /OMA and /Microsoft-Server-ActiveSync. In each case it asks if it is okay to navigate to a secure page (to which I respond "yes") but then never mentions the certificate, and then fails with the "web: unable to perform operation" message (note: the N97 does ask about the cert, and after accepting, loads the page).

The dummy web service would be to check if the phone could access regular http services (as opposed to https) hosted by the server without changing the current config (read: without risk of screwing something up and not being able to fix it). The other reason for a dummy service is that the TrendMicro officescan service is running as http and https services within the domain (network), but external (via internet) access is only possible via https. In short: firewall! I asked dad about this and was told that there is a Juniper NetScreen box ("a blue box" ;) ) of some description between the server and the internet. It seems that it functions as a firewall, internet gateway and router, and facilitates secure VPN access. I wanted to try to log in to it to see how it is configured but dad claims he doesn't have the login details ;) Anyhow I obviously won't be able to test unsecured access to anything until I can open port 80 in the Juniper box...

mm1352000

1149 posts

Uber Geek
+1 received by user: 95
Inactive user

#328429 10-May-2010 11:14

@freitasm: I tried the latest method you suggested but the phone still doesn't recognise the filetype with either .der or .cer extension.

I also tried the CAB method, but it seems that is only intended for Windows Mobile devices. Once again, the phone didn't recognise the filetype...

freitasm

BDFL - Memuneh
80953 posts

Uber Geek
+1 received by user: 41729

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#328435 10-May-2010 11:22

The CAB file is a Windows Mobile format. I guess you will have to find a Cert Load program around...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2 | 3